Right to Data Portability: Is your Organization Ready?

On September 22, 2024, the final phase of the changes brought by Act 25 in Québec came into force with the introduction of the right to data portability. The new measure affects most organizations, in particular in the way they’ll need to respond to requests from concerned individuals, with the obligation to set up technological means to provide access to their personal information. 

What is the Right to Data Portability?

This new obligation is inspired by the General Data Protection Regulation (GDPR), adopted in Europe. It allows individuals concerned by the personal information held by an organization to receive computerized personal information in a structured and commonly used technology format that was collected by the organization from such individuals. 

By exercising their right to data portability, individuals may obtain their personal information, in a technological format, which an organization has collected electronically, notably to make it easier for them to hire the services of another organization and enable system interoperability. As an example, and subject to the application of sector-specific legislation, individuals may exercise their right to data portability when opening a bank account in a new financial institution by asking their current bank to supply them with all the computerized personal information provided when the first account was created, in accordance with the provincial and federal laws that apply. Job applicants may also request that the personal information they have provided on an online form be communicated to them. 

The right to data portability exists as a complement to the customary mechanism for requesting access to personal information provided for by Act 25. Since the amendments to the Act respecting the protection of personal information in the private sector came into effect in September 2023, individuals may have access to this type of personal information in the form of a written and intelligible transcript. 

 

What Personal Information would be Subject to the Right to Data Portability?

To be subject to the right to data portability, personal information must: 

• Have been collected from the individual exercising his right to data portability; 
• Be stored on a computerized medium. Accordingly, personal information collected using physical means, including printed forms or handwritten notes, may not be subject to the right to data portability; and 
• Exclude personal information that has been created or inferred from the information that was provided to the organization. 

By way of example, personal information provided by a consumer who purchases clothing online, including shipping address, e-mail address, name, and credit card details, is all personal information subject to the right to data portability. Personal information such as a person’s height or gender, which may be inferred from the personal information provided for an online clothing order, may not be subject to the right to data portability. Likewise, if the company has designed a sophisticated buyer categorization system, the category to which this buter belongs would not have to be disclosed. 

 

How to Exercise One’s Right to Data Portability

Within 30 days of a written request from individuals, organizations that hold digitized personal information meeting the aforementioned criteria must provide the information in a “structured, commonly used technological format”. This concept is not explicitly set out in Québec law, but may be interpreted in a manner similar to the GDPR and in the same manner as the Québec government applies it to public organizations. Accordingly, in the absence of a clear guideline from Commission d’accès à l’information (CAI), the data format may be XML, JSON or CSV, and a “structured and commonly used format” may allow individuals to reuse their personal information for another service or to provide it to another organization.

 

What is the Limit to the Right to Data Portability? 

Organizations may decline to grant a data portability request if it would lead to serious practical difficulties, for example, if transferring personal information to a structured technological format proves too complex. This exception is not detailed in law and may be subject to guidelines issued by Commission d’accès à l’information. 

On its web site, CAI indicates that this is a case-by-case issue; moreover, it cites an example where it ruled that the significant costs involved in responding to a request would cause a serious practical difficulty.

 

How your Organization can comply with the Right to Data Portability

To ensure its readiness to respond to requests from individuals asserting their right to data portability, your organization would be well advised to: 

• Ensure, if you have not already done so, that your privacy policies are up to date, indicate the person to contact within your organization, and include the procedures for exercising the right to data portability; 
• Be able to distinguish between computerized personal information that you hold that have been collected from the individual making the request and personal information that have been inferred from the individual’s personal information; 
• Have the technological tools needed to communicate this personal information in a structured and commonly used technological format; and
• Be able, wherever appropriate, to explain to individuals that you are unable to comply with their data portability request for reasons of serious practical difficulties. 

Organizations must respond to requests for the right to data portability within 30 days of receipt, failing which they will be deemed to have refused to grant the request and may be subject to a disagreement application filed with Commission d'accès à l'information.